guardrail-security 1.0.2 → 2.0.0

package/dist/utils/semver.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Lightweight Semver Utilities
+ * Proper version comparison for vulnerability checking
+ * (Avoids incorrect lexicographic comparison like "10.0.0" < "2.0.0")
+ */
+export interface SemverParts {
+    major: number;
+    minor: number;
+    patch: number;
+    prerelease?: string;
+}
+/**
+ * Parse a semver string into components
+ * Handles formats: 1.2.3, 1.2.3-beta.1, ^1.2.3, ~1.2.3
+ */
+export declare function parseSemver(version: string): SemverParts | null;
+/**
+ * Compare two semver versions
+ * Returns: -1 if a < b, 0 if a == b, 1 if a > b
+ */
+export declare function compareSemver(a: string, b: string): number;
+/**
+ * Check if version is less than target
+ * Enterprise-grade: "10.0.0" is NOT less than "2.0.0"
+ */
+export declare function isVersionLessThan(version: string, target: string): boolean;
+/**
+ * Check if version satisfies a range expression
+ * Supports: <1.2.3, <=1.2.3, >1.2.3, >=1.2.3, 1.2.3 (exact)
+ */
+export declare function satisfiesRange(version: string, range: string): boolean;
+/**
+ * Check if version is affected by vulnerability
+ * affectedVersions format: "<4.17.21" or ">=1.0.0 <2.0.0"
+ */
+export declare function isAffected(version: string, affectedVersions: string): boolean;
+//# sourceMappingURL=semver.d.ts.map

package/dist/utils/semver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semver.d.ts","sourceRoot":"","sources":["../../src/utils/semver.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAyB/D;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CA4B1D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAE1E;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAkBtE;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAM7E"}

package/dist/utils/semver.js

@@ -0,0 +1,109 @@
+"use strict";
+/**
+ * Lightweight Semver Utilities
+ * Proper version comparison for vulnerability checking
+ * (Avoids incorrect lexicographic comparison like "10.0.0" < "2.0.0")
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseSemver = parseSemver;
+exports.compareSemver = compareSemver;
+exports.isVersionLessThan = isVersionLessThan;
+exports.satisfiesRange = satisfiesRange;
+exports.isAffected = isAffected;
+/**
+ * Parse a semver string into components
+ * Handles formats: 1.2.3, 1.2.3-beta.1, ^1.2.3, ~1.2.3
+ */
+function parseSemver(version) {
+    // Strip range prefixes
+    const cleaned = version.replace(/^[\^~>=<]+/, '').trim();
+    // Match semver pattern
+    const match = cleaned.match(/^(\d+)\.(\d+)\.(\d+)(?:-(.+))?$/);
+    if (!match) {
+        // Try partial versions (1.2, 1)
+        const partial = cleaned.match(/^(\d+)(?:\.(\d+))?$/);
+        if (partial) {
+            return {
+                major: parseInt(partial[1] ?? '0', 10),
+                minor: partial[2] ? parseInt(partial[2], 10) : 0,
+                patch: 0,
+            };
+        }
+        return null;
+    }
+    return {
+        major: parseInt(match[1] ?? '0', 10),
+        minor: parseInt(match[2] ?? '0', 10),
+        patch: parseInt(match[3] ?? '0', 10),
+        prerelease: match[4],
+    };
+}
+/**
+ * Compare two semver versions
+ * Returns: -1 if a < b, 0 if a == b, 1 if a > b
+ */
+function compareSemver(a, b) {
+    const parsedA = parseSemver(a);
+    const parsedB = parseSemver(b);
+    if (!parsedA || !parsedB) {
+        // Fallback to string comparison if parsing fails
+        return a.localeCompare(b, undefined, { numeric: true, sensitivity: 'base' });
+    }
+    // Compare major.minor.patch
+    if (parsedA.major !== parsedB.major) {
+        return parsedA.major < parsedB.major ? -1 : 1;
+    }
+    if (parsedA.minor !== parsedB.minor) {
+        return parsedA.minor < parsedB.minor ? -1 : 1;
+    }
+    if (parsedA.patch !== parsedB.patch) {
+        return parsedA.patch < parsedB.patch ? -1 : 1;
+    }
+    // Handle prerelease (1.0.0-alpha < 1.0.0)
+    if (parsedA.prerelease && !parsedB.prerelease)
+        return -1;
+    if (!parsedA.prerelease && parsedB.prerelease)
+        return 1;
+    if (parsedA.prerelease && parsedB.prerelease) {
+        return parsedA.prerelease.localeCompare(parsedB.prerelease);
+    }
+    return 0;
+}
+/**
+ * Check if version is less than target
+ * Enterprise-grade: "10.0.0" is NOT less than "2.0.0"
+ */
+function isVersionLessThan(version, target) {
+    return compareSemver(version, target) < 0;
+}
+/**
+ * Check if version satisfies a range expression
+ * Supports: <1.2.3, <=1.2.3, >1.2.3, >=1.2.3, 1.2.3 (exact)
+ */
+function satisfiesRange(version, range) {
+    const trimmed = range.trim();
+    if (trimmed.startsWith('<=')) {
+        return compareSemver(version, trimmed.slice(2)) <= 0;
+    }
+    if (trimmed.startsWith('<')) {
+        return compareSemver(version, trimmed.slice(1)) < 0;
+    }
+    if (trimmed.startsWith('>=')) {
+        return compareSemver(version, trimmed.slice(2)) >= 0;
+    }
+    if (trimmed.startsWith('>')) {
+        return compareSemver(version, trimmed.slice(1)) > 0;
+    }
+    // Exact match
+    return compareSemver(version, trimmed) === 0;
+}
+/**
+ * Check if version is affected by vulnerability
+ * affectedVersions format: "<4.17.21" or ">=1.0.0 <2.0.0"
+ */
+function isAffected(version, affectedVersions) {
+    // Split on spaces for compound ranges
+    const parts = affectedVersions.split(/\s+/).filter(Boolean);
+    // All conditions must be satisfied
+    return parts.every(part => satisfiesRange(version, part));
+}

package/package.json

@@ -1,8 +1,18 @@
 {
   "name": "guardrail-security",
-  "version": "1.0.2",
+  "version": "2.0.0",
+  "description": "Guardrail Security - Secret detection and vulnerability scanning",
   "main": "./dist/index.js",
-  "files": ["dist/**/*", "src/**/*"],
+  "files": ["dist/**/*"],
+  "license": "MIT",
+  "author": "Guardrail Team <team@getguardrail.io>",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/guardiavault-oss/codeguard.git"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
   "types": "./dist/index.d.ts",
   "exports": {
     ".": {
@@ -22,11 +32,15 @@
     "@azure/identity": "^4.0.0",
     "@google-cloud/secret-manager": "^5.0.0",
     "node-vault": "^0.10.2",
-    "glob": "^10.3.10"
+    "glob": "^10.3.10",
+    "yaml": "^2.3.4"
   },
   "devDependencies": {
     "@types/node": "^20.10.0",
     "typescript": "^5.3.3",
     "vitest": "^1.2.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
   }
 }

package/src/__tests__/license/engine.test.ts

@@ -1,250 +0,0 @@
-/**
- * License Compliance Engine Tests
- *
- * Test suite for the LicenseComplianceEngine class
- */
-
-import { describe, it, expect, beforeEach, jest } from "@jest/globals";
-import { LicenseComplianceEngine } from "../../license/engine";
-
-// Import ResponseType
-type ResponseType =
-  | "basic"
-  | "cors"
-  | "default"
-  | "error"
-  | "opaque"
-  | "opaqueredirect";
-
-// Mock fs
-jest.mock("fs", () => ({
-  readFileSync: jest.fn<(path: string) => string>().mockReturnValue(""),
-  existsSync: jest.fn<(path: string) => boolean>(() => true),
-}));
-
-// Mock prisma
-jest.mock("@guardrail/database", () => ({
-  prisma: {
-    licenseAnalysis: {
-      findMany: jest.fn<() => Promise<any[]>>().mockResolvedValue([]),
-      create: jest.fn<() => Promise<any>>().mockResolvedValue({}),
-      update: jest.fn<() => Promise<any>>().mockResolvedValue({}),
-      delete: jest.fn<() => Promise<any>>().mockResolvedValue({}),
-      findUnique: jest.fn<() => Promise<any>>().mockResolvedValue(null),
-    },
-  },
-}));
-
-// Mock fetch
-const mockFetch = jest.fn<() => Promise<Response>>();
-global.fetch = mockFetch;
-
-describe("LicenseComplianceEngine", () => {
-  let engine: LicenseComplianceEngine;
-
-  beforeEach(() => {
-    engine = new LicenseComplianceEngine();
-    jest.clearAllMocks();
-  });
-
-  describe("license fetching", () => {
-    it("should fetch license from npm registry", async () => {
-      const mockResponse = {
-        ok: true,
-        json: jest.fn<() => Promise<any>>().mockResolvedValue({
-          "dist-tags": { latest: "1.0.0" },
-          versions: {
-            "1.0.0": {
-              license: "MIT",
-            },
-          },
-        }),
-        headers: new Headers(),
-        status: 200,
-        statusText: "OK",
-        type: "basic" as ResponseType,
-        url: "",
-        redirected: false,
-        clone: jest.fn<() => Response>(),
-        body: null,
-        bodyUsed: false,
-        bytes: jest.fn<() => Promise<Uint8Array<ArrayBufferLike>>>(),
-        text: jest.fn<() => Promise<string>>(),
-        blob: jest.fn<() => Promise<Blob>>(),
-        formData: jest.fn<() => Promise<FormData>>(),
-        arrayBuffer: jest.fn<() => Promise<ArrayBuffer>>(),
-      };
-
-      mockFetch.mockResolvedValue(mockResponse);
-
-      // Access private method through type assertion
-      const result = await (engine as any).fetchLicenseFromRegistry(
-        "test-package",
-      );
-
-      expect(result.license).toBe("MIT");
-      expect(result.category).toBe("permissive");
-    });
-
-    it("should handle SPDX expressions", async () => {
-      const mockResponse = {
-        ok: true,
-        json: jest.fn<() => Promise<any>>().mockResolvedValue({
-          "dist-tags": { latest: "1.0.0" },
-          versions: {
-            "1.0.0": {
-              license: {
-                type: "MIT",
-              },
-            },
-          },
-        }),
-        headers: new Headers(),
-        status: 200,
-        statusText: "OK",
-        type: "basic" as ResponseType,
-        url: "",
-        redirected: false,
-        clone: jest.fn<() => Response>(),
-        body: null,
-        bodyUsed: false,
-        bytes: jest.fn<() => Promise<Uint8Array<ArrayBufferLike>>>(),
-        text: jest.fn<() => Promise<string>>(),
-        blob: jest.fn<() => Promise<Blob>>(),
-        formData: jest.fn<() => Promise<FormData>>(),
-        arrayBuffer: jest.fn<() => Promise<ArrayBuffer>>(),
-      };
-
-      mockFetch.mockResolvedValue(mockResponse);
-
-      const result = await (engine as any).fetchLicenseFromRegistry(
-        "test-package",
-      );
-
-      expect(result.license).toBe("MIT");
-    });
-
-    it("should normalize license names", async () => {
-      // Test the normalizeLicenseName method directly
-      const result = (engine as any).normalizeLicenseName("Apache 2.0");
-      expect(result).toBe("Apache-2.0");
-    });
-
-    it("should use fallback on network error", async () => {
-      mockFetch.mockRejectedValue(new Error("Network error"));
-
-      const result = await (engine as any).fetchLicenseFromRegistry(
-        "private-package",
-      );
-
-      expect(result.license).toBe("UNKNOWN");
-      expect(result.category).toBe("unknown");
-    });
-  });
-
-  describe("license categorization", () => {
-    it("should categorize MIT as permissive", () => {
-      const result = (engine as any).categorizeLicense("MIT");
-      expect(result).toBe("permissive");
-    });
-
-    it("should categorize GPL as copyleft", () => {
-      const result = (engine as any).categorizeLicense("GPL-3.0");
-      expect(result).toBe("copyleft");
-    });
-
-    it("should categorize LGPL as weak-copyleft", () => {
-      const result = (engine as any).categorizeLicense("LGPL-3.0");
-      expect(result).toBe("weak-copyleft");
-    });
-
-    it("should categorize unknown licenses", () => {
-      const result = (engine as any).categorizeLicense("UNKNOWN-LICENSE");
-      expect(result).toBe("unknown");
-    });
-  });
-
-  describe("conflict detection", () => {
-    it("should detect GPL contamination in proprietary project", () => {
-      const dependencies = [
-        { name: "dep1", license: "MIT", category: "permissive" },
-        { name: "dep2", license: "GPL-3.0", category: "copyleft" },
-      ];
-
-      const conflicts = (engine as any).detectGPLContamination(
-        dependencies,
-        "Proprietary",
-      );
-
-      expect(conflicts).toHaveLength(2);
-      expect(conflicts[0].dependency).toBe("dep1");
-      expect(conflicts[0].severity).toBe("warning");
-      expect(conflicts[1].dependency).toBe("dep2");
-      expect(conflicts[1].severity).toBe("error");
-    });
-
-    it("should allow LGPL in Apache project", () => {
-      const dependencies = [
-        { name: "dep1", license: "Apache-2.0", category: "permissive" },
-        { name: "dep2", license: "LGPL-3.0", category: "weak-copyleft" },
-      ];
-
-      const conflicts = (engine as any).detectGPLContamination(
-        dependencies,
-        "Apache-2.0",
-      );
-
-      expect(conflicts).toHaveLength(0);
-    });
-  });
-
-  describe("project analysis", () => {
-    it("should analyze simple project", async () => {
-      const mockFs = await import("fs");
-      jest.mocked(mockFs.readFileSync).mockReturnValue(
-        JSON.stringify({
-          dependencies: {
-            express: "^4.18.0",
-            lodash: "^4.17.21",
-          },
-        }),
-      );
-
-      // Mock fetch responses
-      mockFetch.mockResolvedValue({
-        ok: true,
-        json: jest.fn<() => Promise<any>>().mockResolvedValue({
-          "dist-tags": { latest: "1.0.0" },
-          versions: {
-            "1.0.0": { license: "MIT" },
-          },
-        }),
-        headers: new Headers(),
-        status: 200,
-        statusText: "OK",
-        type: "basic" as ResponseType,
-        url: "",
-        redirected: false,
-        clone: jest.fn<() => Response>(),
-        body: null,
-        bodyUsed: false,
-        bytes: jest.fn<() => Promise<Uint8Array<ArrayBufferLike>>>(),
-        text: jest.fn<() => Promise<string>>(),
-        blob: jest.fn<() => Promise<Blob>>(),
-        formData: jest.fn<() => Promise<FormData>>(),
-        arrayBuffer: jest.fn<() => Promise<ArrayBuffer>>(),
-      });
-
-      const result = await engine.analyzeProject(
-        "/test/path",
-        "test-project",
-        "MIT",
-      );
-
-      expect(result.projectId).toBe("test-project");
-      expect(result.projectLicense).toBe("MIT");
-      expect(result.dependencies).toHaveLength(2);
-      expect(result.overallStatus).toBe("compliant");
-    });
-  });
-});

package/src/__tests__/supply-chain/typosquat.test.ts

@@ -1,191 +0,0 @@
-/**
- * Typosquat Detector Tests
- *
- * Test suite for the TyposquatDetector class
- */
-
-import { describe, it, expect, beforeEach } from "@jest/globals";
-import { TyposquatDetector } from "../../supply-chain/typosquat";
-
-describe("TyposquatDetector", () => {
-  let detector: TyposquatDetector;
-
-  beforeEach(() => {
-    detector = new TyposquatDetector();
-  });
-
-  describe("Exact Match Detection", () => {
-    const legitimatePackages = [
-      "react",
-      "vue",
-      "express",
-      "lodash",
-      "typescript",
-      "axios",
-      "webpack",
-      "jest",
-    ];
-
-    it.each(legitimatePackages)(
-      "should NOT flag legitimate package: %s",
-      async (pkg) => {
-        const result = await detector.detectTyposquatting(pkg);
-        expect(result.isTyposquat).toBe(false);
-      },
-    );
-  });
-
-  describe("Character Swap Detection", () => {
-    const swapAttempts = [
-      { input: "raect", target: "react" },
-      { input: "exrpess", target: "express" },
-      { input: "loadsh", target: "lodash" },
-      { input: "axois", target: "axios" },
-    ];
-
-    it.each(swapAttempts)(
-      "should detect character swap: $input -> $target",
-      async ({ input, target }) => {
-        const result = await detector.detectTyposquatting(input);
-        expect(result.isTyposquat).toBe(true);
-        expect(result.targetPackage).toBe(target);
-        expect(result.patterns).toContain("character_swap");
-      },
-    );
-  });
-
-  describe("Missing Character Detection", () => {
-    const missingCharAttempts = [
-      { input: "rect", target: "react" },
-      { input: "expres", target: "express" },
-      { input: "lodas", target: "lodash" },
-      { input: "webpck", target: "webpack" },
-    ];
-
-    it.each(missingCharAttempts)(
-      "should detect missing character: $input -> $target",
-      async ({ input, target }) => {
-        const result = await detector.detectTyposquatting(input);
-        expect(result.isTyposquat).toBe(true);
-        expect(result.targetPackage).toBe(target);
-        expect(result.patterns).toContain("missing_character");
-      },
-    );
-  });
-
-  describe("Extra Character Detection", () => {
-    const extraCharAttempts = [
-      { input: "reactt", target: "react" },
-      { input: "expresss", target: "express" },
-      { input: "lodassh", target: "lodash" },
-      { input: "axioss", target: "axios" },
-    ];
-
-    it.each(extraCharAttempts)(
-      "should detect extra character: $input -> $target",
-      async ({ input, target }) => {
-        const result = await detector.detectTyposquatting(input);
-        expect(result.isTyposquat).toBe(true);
-        expect(result.targetPackage).toBe(target);
-        expect(result.patterns).toContain("extra_character");
-      },
-    );
-  });
-
-  describe("Homoglyph Detection", () => {
-    const homoglyphAttempts = [
-      { input: "reаct", description: "cyrillic a" },
-      { input: "exprеss", description: "cyrillic e" },
-      { input: "l0dash", description: "zero for o" },
-      { input: "ax1os", description: "one for i" },
-    ];
-
-    it.each(homoglyphAttempts)(
-      "should detect homoglyph attack: $input ($description)",
-      async ({ input }) => {
-        const result = await detector.detectTyposquatting(input);
-        // Homoglyph detection may vary based on implementation
-        expect(result.similarity).toBeGreaterThan(0);
-      },
-    );
-  });
-
-  describe("Combosquatting Detection", () => {
-    const comboAttempts = [
-      { input: "react-native-helper", target: "react" },
-      { input: "express-security", target: "express" },
-      { input: "lodash-utils", target: "lodash" },
-      { input: "axios-wrapper", target: "axios" },
-    ];
-
-    it.each(comboAttempts)(
-      "should detect combosquatting: $input -> $target",
-      async ({ input }) => {
-        const result = await detector.detectTyposquatting(input);
-        if (result.isTyposquat) {
-          expect(result.patterns).toContain("combosquatting");
-        }
-      },
-    );
-  });
-
-  describe("Levenshtein Distance", () => {
-    it("should calculate similarity based on Levenshtein distance", async () => {
-      const result = await detector.detectTyposquatting("reakt");
-      expect(result.similarity).toBeGreaterThan(0.7);
-    });
-
-    it("should have low similarity for unrelated packages", async () => {
-      const result = await detector.detectTyposquatting(
-        "completely-different-package",
-      );
-      expect(result.similarity).toBeLessThan(0.5);
-    });
-  });
-
-  describe("Result Structure", () => {
-    it("should return complete result structure", async () => {
-      const result = await detector.detectTyposquatting("reakt");
-
-      expect(result).toHaveProperty("isTyposquat");
-      expect(result).toHaveProperty("suspiciousPackage");
-      expect(result).toHaveProperty("similarity");
-      expect(result).toHaveProperty("patterns");
-      expect(Array.isArray(result.patterns)).toBe(true);
-    });
-
-    it("should include target package when typosquat detected", async () => {
-      const result = await detector.detectTyposquatting("reakt");
-
-      if (result.isTyposquat) {
-        expect(result.targetPackage).toBeDefined();
-      }
-    });
-  });
-
-  describe("Edge Cases", () => {
-    it("should handle empty string", async () => {
-      const result = await detector.detectTyposquatting("");
-      expect(result.isTyposquat).toBe(false);
-    });
-
-    it("should handle very long package names", async () => {
-      const longName = "a".repeat(100);
-      const result = await detector.detectTyposquatting(longName);
-      expect(result).toBeDefined();
-    });
-
-    it("should handle special characters", async () => {
-      const result = await detector.detectTyposquatting("@scope/react");
-      expect(result).toBeDefined();
-    });
-
-    it("should be case insensitive", async () => {
-      const result1 = await detector.detectTyposquatting("REACT");
-      const result2 = await detector.detectTyposquatting("React");
-      // Both should handle case variations
-      expect(result1).toBeDefined();
-      expect(result2).toBeDefined();
-    });
-  });
-});